Add option to allow client redirects from IPs in specified CIDR ranges in SSO client logins #44556
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
capnspacehook
force-pushed
the
capnspacehook/sso-insecure-cidr-redirects
branch
from
1b68ba6 to
595d09d
Compare
rosstimothy
reviewed
Jul 23, 2024
capnspacehook
force-pushed
the
capnspacehook/sso-insecure-cidr-redirects
branch
from
ac1563a to
73c651f
Compare
espadolini
reviewed
Jul 24, 2024
espadolini
reviewed
Jul 24, 2024
capnspacehook
force-pushed
the
capnspacehook/sso-insecure-cidr-redirects
branch
2 times, most recently
from
48fe0fe to
816b776
Compare
espadolini
previously approved these changes
Jul 24, 2024
There was a problem hiding this comment.
There's still maybe a point to ignoring invalid CIDRs (and invalid regexps, too, which utils.SliceMatchesRegex already hard fails on) since the rules are purely additive and there's no chance of potentially failing open, but as long as "standard" logins are guaranteed to not break, it's probably fine
rosstimothy
approved these changes
Jul 24, 2024
capnspacehook
force-pushed
the
capnspacehook/sso-insecure-cidr-redirects
branch
from
e3fd04e to
fa59038
Compare
public-teleport-github-review-bot
bot
removed request for
ravicious,
r0mant and
Joerger
|
I opted to log errors when dealing with invalid CIDRs and while I was at it regexes as well |
capnspacehook
force-pushed
the
capnspacehook/sso-insecure-cidr-redirects
branch
2 times, most recently
from
101e14c to
45cce5c
Compare
|
🤖 Vercel preview here: https://docs-dxanxmz4a-goteleport.vercel.app/docs/ver/preview |
espadolini
dismissed
their stale review
waiting for the client-side change to --callback
espadolini
approved these changes
Jul 26, 2024
…s in SSO client logins
r0mant
force-pushed
the
capnspacehook/sso-insecure-cidr-redirects
branch
from
a7ca727 to
2e2cc41
Compare
r0mant
changed the title
|
🤖 Vercel preview here: https://docs-m7xvqj2rr-goteleport.vercel.app/docs/ver/preview |
github-merge-queue
bot
removed this pull request from the merge queue due to failed status checks
|
@capnspacehook See the table below for backport results.
|
r0mant
pushed a commit
that referenced
this pull request
Jul 30, 2024
…s in SSO client logins (#44556) Co-authored-by: Andrew LeFevre <Andrew LeFevre>
This was referenced Aug 12, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #44535.
changelog: Add option to allow client redirects from IPs in specified CIDR ranges in SSO client logins